UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Windows Security Settings InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comSun, 15 Sep 2019 08:45:04 GMT20Ports requirement between LogBinder and MS Exchange and LogBinder and Active Directoryhttp://forum.ultimatewindowssecurity.com/Topic7427-7-1.aspxHi Experts,<br><br>Is there any specific port to be opened between Log Binder and MS Exchange 2010 and LogBinder and Active Directory to successful communication? <br><br>Kindly help, if any one knows.<br><br>BR,<br>BurhanMon, 20 Nov 2017 01:28:39 GMTBurh@nsecurity settings stops downloadhttp://forum.ultimatewindowssecurity.com/Topic7370-7-1.aspxHello,<br><br><br>Im trying to download a cleaner and antivirus but I get a pop-up that says "security setting will not let you download this file." This also happened when trying to download other files from the internet to save to my laptop. Im wondering how to change the settings so I can download from the internet <br><br>I didn't find the right solution from the Internet.<br><br>References: https://www.sevenforums.com/general-discussion/405632-security-settings-stops-download.html<br>Fri, 19 May 2017 04:35:52 GMTwilliamhawkRemove Internet access from Admin level accounts but not regular acctshttp://forum.ultimatewindowssecurity.com/Topic7326-7-1.aspxWe have limited internet access systems due to government requirements. Hard drives locked down, only usb connections with approved devices. 2 standalone machines. Auditor has requirement that admin level accts can not have access to the internet. Machine already locked down to 3 SSL connected web sites only. How do I block the 2 Admin level accts from getting to the internet? Some parental control software and would it work on the Admin accounts?<br>Wed, 08 Mar 2017 10:28:04 GMTjbuzard4Local loginhttp://forum.ultimatewindowssecurity.com/Topic5223-7-1.aspxhi All,<br><br>please guide me here to track non domain user logon<br><br>regards,<br>younusTue, 21 Jun 2016 01:06:40 GMTyounusDial up checked in Ctrl+Alt+Supr Boxhttp://forum.ultimatewindowssecurity.com/Topic5214-7-1.aspxHi to all,<br><br>We had a strange problem today in the network. A user was to log on to the domain and it received an error with Error 711: The operation could not finish because it could not start the Remote Access Connection Manager Service in time. Please try the operation again. The problem was that "Ctrl + ALTR + Del" option box: "Log on using dial-up connection" was checked and he was trying to log on to the domain (remote access control service is disabled by us). The user told us that he hadn't clicked it so we did not understand why it was checked after he turned on the computer. Does anyone know when this box appears in that situation , that is what can cause this option appears selected?. I checked in network connections and I couldn't find a dial-up connection configured.<br><br>Best Regards and thanks in advance.Fri, 27 May 2016 15:48:43 GMTpepinAudit IP change on Windowshttp://forum.ultimatewindowssecurity.com/Topic5200-7-1.aspxHello,<br><br>How audit IP change on Windows (7 and later) ? (on all interfaces)<br><br>RegardsMon, 02 May 2016 09:19:50 GMTdanielUsers profiles in Domain Controllerhttp://forum.ultimatewindowssecurity.com/Topic5169-7-1.aspxHi,<br><br>I have detected user profiles in the domain controllers. Users can not log in it using terminal services because they don' have permissions. On the other hand they don't EFS files in the server so I don't understand why they are there, ie below document and settings in the domain controller. The domain is a cluster W2000 professional and the clients are Windows XP PCs.<br><br>Best Regards and thanks in advance.Mon, 29 Feb 2016 17:08:56 GMTpepinnetsh interface portproxy addhttp://forum.ultimatewindowssecurity.com/Topic5162-7-1.aspxI am looking for information related to what level of logging must be enabled for a Windows event log to be created when a portproxy interface is added and what the event ID will be? This is a common pivot method for infiltrators. Thanks for your help with this.<br><br>[quote]<br>>Netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST><br>[/quote]<br>Also v6tov6, v4tov6 and v6tov4<br>[quote]<br>>Netsh wlan show networks mode=bssid<br>[/quote]Tue, 09 Feb 2016 16:38:46 GMTalancasterDirect Access Audit Logshttp://forum.ultimatewindowssecurity.com/Topic5160-7-1.aspxHi All,<br><br>Im trying to poll Microsoft Direct Access audit logs from Event Viewer using IBM QRadar Wincollect agent. I follow the below article to collect the events.<br><br>blogs.technet.com/b/martin_j_solis/archive/2015/03/20/additional-way-to-monitor-directaccess-machine-user-activity-on-windows-2012-and-2012r2-directaccess-with-component-even-logging.aspx<br><br>The details tab in event viewer provide more information about the user and IP details. Now the main objective is to poll the XML data from details tab. Please guide me if there is any possibility to poll those data.Mon, 01 Feb 2016 10:24:58 GMTrpremk24IT Auditor needs Log of applied patcheshttp://forum.ultimatewindowssecurity.com/Topic5156-7-1.aspxI need to generate a list of applied patches on specific servers (SOX) to tie to the change management system to "prove" that the patches were approved prior to being applied.<p>Since I know there are many ways of pulling this inforamtion and I want it to be a repeatable process I wanted some feedback on the pro's/con's of the following:</p><p>1) Run a powershell script like this looping the Get-Hotfix... <a href="https://gallery.technet.microsoft.com/scriptcenter/Generate-a-Report-for-f71a6800">https://gallery.technet.microsoft.com/scriptcenter/Generate-a-Report-for-f71a6800</a></p><p>I think this is reliable information that shows the hotfix applied, by whom, and when. This should be adequate to tie to the Change Management ticketing system.</p><p>2) But what about leveraging existing logs that might be captured with EventIDs 19-24? I think capturing these series of events will probably provide more information but in a little bit messier format?</p><p>Is there a risk of false positives/negatives in either of these approaches? This is a little out of my area of expertise!</p><p>TIA!Wed, 13 Jan 2016 09:33:01 GMTcmengsAuditing of lsass.exehttp://forum.ultimatewindowssecurity.com/Topic5149-7-1.aspxI have seen demos of some tools that can indicate access to lsass.exe. Does anybody have any experience with this?<br>Specifically, I have seen a tool that can identify mimikatz has accessed lsass.exe. I am currently trying to see if I can identify this behavior in the native Windows logs.Tue, 10 Nov 2015 14:54:35 GMTsomarWindows Patch Updatehttp://forum.ultimatewindowssecurity.com/Topic5148-7-1.aspxHello, has anybody used WSUS offline tool from http://www.wsusoffline.net/?. This is about the only tool I have found to update air-gapped Win 7 systems. These individual/standalone systems are lacking nearly two year of patches. Further, I cannot install any software on them, this tool can run on the target system from a CD. If you could please provide any feedback/advice or alternate tools available.<br><br>Thank youThu, 05 Nov 2015 12:38:06 GMTrduraiBaseline for advance audit policy for winDows server 2012 R2http://forum.ultimatewindowssecurity.com/Topic5144-7-1.aspxHello all,<br><br>I would really appreciate if someone can let me know what would be considered as the bare minimum/baseline configuration for configuring advance audit policies for a windows server 2012 R2 server which is a domain controller and also a file server.<br><br>Thanks,<br>Dhanushka<br><br>IWed, 28 Oct 2015 04:37:08 GMTdhanushkaLogon Redundancyhttp://forum.ultimatewindowssecurity.com/Topic4946-7-1.aspxGuys answer me this. Logon policy is controlling logging of logon events on a local machine. Account Logon policy is logging logon events as submitted by another host.<br><br>So in the case of an end user logging into a member server using their Active Directory domain account the member server is logging the event under its Logon policy success setting and the domain controller is logging the same action under its Account Logon policy success setting. Am I misunderstanding something here? This is duplicative.<br><br>As these are high volume events I'm tempted to turn off Logon success on the member servers and just let the domain controller capture it. I run an environment with an older SAN and we have to pare down excessive and duplicative logging as we believe it is really loading our SAN causing major latency issues. I think this would be a good move, as the only log events I'm really giving up are the successful logons to local accounts on member servers, which are few as we have very few local accounts.<br><br>Thoughts on this? I'm trying to "log smart"Fri, 04 Sep 2015 15:17:20 GMTWRiggsSecurity Log Maximum Size - Revisitedhttp://forum.ultimatewindowssecurity.com/Topic4825-7-1.aspxI found a post from August 2014 but did not see any replies from Ultimate Windows Security. I wanted to revive this and ask again. We are exploring the possibility of increasing our log size, too.<br>Using this article as a reference, https://support.microsoft.com/en-us/kb/957662#/en-us/kb/957662, it appears 4 GB is the maximum which is also what was suggested we configure ours. Of course, we are looking to increase to at most 1 GB, citing the previous post and the 300 MB limit from the Security Log Resource Kit. It appears there are distinctions now regarding 32-bit versions vs. 64-bit versions. We are running 2008 R2 or newer, so all 64-bit.Tue, 18 Aug 2015 14:11:16 GMTsomarIs MS patch bulletin for June 2015 missing ?http://forum.ultimatewindowssecurity.com/Topic3271-7-1.aspxI used to see the summary table with the new patches released by MS listed here the next day.<br>Is it gone now ?<br><br>Thank you<br>MishouThu, 25 Jun 2015 08:52:30 GMTmishouWindows Security Log Informationhttp://forum.ultimatewindowssecurity.com/Topic3263-7-1.aspxIs there a way to add additional 'admin supplied' data (such as a unique character string) to each security record? I want to capture this unique string with my SIEM tool<br><br>Thanks!<br><br><br>Mon, 08 Jun 2015 13:58:47 GMTkzjbrysystem wide file create,copy,move event from audit log ?http://forum.ultimatewindowssecurity.com/Topic2700-7-1.aspxIs there a way to find file create, copy, move, modification, permission changes events system wide without specifically enabling security audit on specific folders of interest.Thu, 29 Jan 2015 05:24:56 GMTprashanthNo event ID for Id enabled after locked outhttp://forum.ultimatewindowssecurity.com/Topic2591-7-1.aspx[left][center][email][/email][/center][/left]Fri, 12 Dec 2014 00:12:41 GMTnalluri4Where can be found webmail address in Windows?http://forum.ultimatewindowssecurity.com/Topic1536-7-1.aspxHi all. The target is to know if someone (OS Win7) uses webmail, and which adddress he uses. I found in Win7 registry a branch named DOMStorage, where there are SOME of the emails (with login) that where used on a PC. But, for example, if i login on my gmail account, there couldnt be found anything in registry. Performing filesearch on a PC by keyword <emailname> also didnt give any results.<br>Be grateful for any thoughts on this matter. I presume, there also could be web forms cache enabled, so user just pick his login, when go to his webmail. Where is this cache storaged? In a folder?Thu, 04 Sep 2014 16:08:56 GMTcypherpunks01Server 2008 R2 Domain Controller Security Log Sizehttp://forum.ultimatewindowssecurity.com/Topic1358-7-1.aspxTrying to wrap my head around some conflicting information. Across the web I see references for a maximum security log size of 300 MB (UltimateWindowsSecurity.com to 4 GB (Microsoft, probably more of a theoretical max). Many of the recommendations I found come in the middle (1-2 GB) with the caveat that filtering of the log may become problematic as it increases in size. Given I have a higher level of a trust in UltimateWindowsSecurity I decided to pose a question here.<br><br>Generally speaking our only interest in the log size increase is as a redundancy to SIEM agents failing (we've seen this regularly with one product and moved to a different product recently). Unfortunately some domain controllers (DC) generate a lot of log data and our current setting (200 MB) retains less than one day. We are interested in increasing the log size t to have 1 full day on the busiest DC as a fail-over. (We are using Advanced Audit to reduce the number of events recorded but certain locations have a high number of events).<br><br>While I know Randy has specified 300 MB several times as the maximum size for 2008 R2, I'm curious as to whether the only ill effect we might experience would be on the filtering end. If we can capture the data and not overly impact performance of the DC we could live with poor filtering performance (As it is a fail-over option). Wondering if anyone has comments regarding higher log sizes?Mon, 04 Aug 2014 13:26:26 GMTNluebbersLog differences between server and workstationhttp://forum.ultimatewindowssecurity.com/Topic1356-7-1.aspxHi there !<br><br>I've seen that some events are generated on a workstation platform but not on the equivalent server version (or reverse). I would like to know if this concern really few exceptions or if the logs differences between the workstation and the server versions is really noticeable (for log analyse as an example) ?<br><br>RegardsTue, 29 Jul 2014 07:17:08 GMTdenislapommeLockout Duration value of -1 retruned but secedithttp://forum.ultimatewindowssecurity.com/Topic1338-7-1.aspxI have a policy for Lockout Duration set to 0 which requires an admin to unlock the account. When I run secedit to retrieve the policy the result is a value of -1 which is not documented anywhere. I use the output of the secedit command to capture audit evidence so the fact that the command does not return a 0 for the Lockout duration creates additional work. Anyone know how if this is a know problem with secedit? How can I get it to report the correct value of 0 or is there a published document that states that -1 also represents requires an admin to unlock?Wed, 23 Apr 2014 13:59:21 GMTek105580the most interesing security events IDhttp://forum.ultimatewindowssecurity.com/Topic1297-7-1.aspxHi all. We now want to use SIEM in our organization and me should analyze tons of logs of events. I`d like to make a template or a script which will gives me the valuable info on possible security incidents.<br>So, what i`d like to know, and i will be gratefull to hear your opinion, what events should be added:<br>1. User logon (live user, service accounts, network user) some more??<br>2. Adding account to administrators (local, AD) group.<br>3. Making //hostname/c$ , Success or Failure in accessing PC via network. Mapping a disk, remote desktop connections,... more?<br><br>Be appreciate for all advises on what ID`s are most interesting to start ITSEC incident analyzys.Wed, 04 Dec 2013 02:59:02 GMTcypherpunks01What are the most relevant windows events to monitor related to actions that a users can dohttp://forum.ultimatewindowssecurity.com/Topic1268-7-1.aspx<br>Hi all,<br><br>We have a list of suspicious users and we want to monitor these users within the AD servers and workstations.<br> <br>You want to monitor the actions taken by these these users such as:<br><br>- Changing audit policy<br><br>- Access to objects<br><br>- Installation / uninstall service<br><br>- Access / modification of files<br><br><br><br>Regards,<br><br><br><br><br><br><br><br>Thu, 24 Oct 2013 17:47:05 GMTcarlos.alcocerProblem with HotFix Windows of EventID 4719http://forum.ultimatewindowssecurity.com/Topic1271-7-1.aspxIm having trouble generating the event 4719 of Change Audit Policies. Im receiving the Hostname instead of the UserName of the Active Directory.<br><br>I've applied a HotFix of Microsoft for my Windows Server 2008 R2, and now I dont even see, on event viewer, the event 4719 that correspond to the Change Audit Policies.<br><br>Also HotFix has been tested for versions of windows 2008R2 Standard and Enterprise does not work.<br><br>Best Regards,<br><br>Fri, 25 Oct 2013 18:28:07 GMTcarlos.alcocerScheduled PowerShell Tasks as Local System Accounthttp://forum.ultimatewindowssecurity.com/Topic892-7-1.aspxHey Randy, </p><p>Regarding runing services/tasks as the local system account, i have a powershell script that i need to run as a scheduled task. I would prefer to run the script using the builtin local system account, however the script need to access a remote computer to perform some operations.</p><p>So my questions are as follows.</p><p>1. Am i making a big security mistake and should i run the scheduled task as a domain users with the required access (admins).</p><p>2. If i can use the local system account, how do i give it permission on the remote computer to do its job?</p><p>I assume i need to give the Server1$ account rights on RemoteServer$ somehow?Sun, 08 Jan 2012 16:03:15 GMTandrewhuddlestonHot Fix for Windows events do not log the name of the user accounthttp://forum.ultimatewindowssecurity.com/Topic1270-7-1.aspxHi,<br>I'm tracking some windows event logs and i found a problem with them, I made some tests changing local audit policies, but I couldn't get the correct Source Account Name, I always saw the system user like ESTEFANIA$. I found a hotfix to solve this problem but I only could test it in my Windows 7 SP1 workstation.<br>Could somebody tell me if you have had any experience with this hot fix in others Windows versions. According to the Windows KB, the hotfix supports the following versions: <br> Windows Vista Service Pack 2 (SP2)<br> Windows Server 2008 Service Pack 2 (SP2)<br> Windows 7<br> Windows 7 Service Pack 1 (SP1)<br> Windows Server 2008 R2<br> Windows Server 2008 R2 Service Pack 1 (SP1)<br><br>RegardsFri, 25 Oct 2013 12:49:49 GMTestefania1409Audit Settings - GPO issuehttp://forum.ultimatewindowssecurity.com/Topic1217-7-1.aspxHas anyone encountered an issue where audit settings are not applied properly via GPO? We're getting inundated with Windows Filtering Events because the GPO setting to disable this subcategory isn't being applied. The switch to enable subcategories is set in the GPO. We're on Windows 2008R2 and Windows Server 2003 (obviously no subcategory support). We've gone through all the normal troubleshooting and our support vendor is so far stumped.<br><br>Thanks,<br>PaulFri, 10 May 2013 15:10:33 GMTPaulLLocal admin passwordshttp://forum.ultimatewindowssecurity.com/Topic1163-7-1.aspxCan local admin password be the same or they should be (for security) the same?Tue, 15 Jan 2013 14:00:29 GMTleducaHow to Download the Free Windows Security Log Quick Reference Charthttp://forum.ultimatewindowssecurity.com/Topic1133-7-1.aspx<font size="2">Trying to download the Free Windows Security Log Quick Reference Chart and not seeing the link. Is this a problem with IE? I enter my email address and I'm taken to the page to download it, but all I get is prompeted to enter my email address again. <br><br>Would appreciate some assistance.</font><font size="2"><p>THanks</p><p><font size="2"></font></p></font>Mon, 05 Nov 2012 14:08:39 GMTDougWindows Security Compliance Managerhttp://forum.ultimatewindowssecurity.com/Topic1125-7-1.aspxHello, I'm trying to import a GPO i created with Windows Security Compliance manager into our domain group policy for testing. I've tried in .cab format and as a GPbackup. I know i'm missing something. Can anyone tell me what i'm doing wrong?Mon, 29 Oct 2012 11:56:47 GMTttishUser Account frequently getting lockedhttp://forum.ultimatewindowssecurity.com/Topic1076-7-1.aspxHello,</P><P>I Am facing issue of one of user account lockout, when I checked the Domain controller found logs that request are coming from Ms Exchange CAS/HUB server. On Exchange server I see Event 4634, 4624, 4648. </P><P>I am not able to trace the exact source, as this event tell network address as same Exchange server hostname. Please help to resolve this issue.Tue, 11 Sep 2012 13:09:16 GMTNajmuddinAuto update of Distribution groupshttp://forum.ultimatewindowssecurity.com/Topic1077-7-1.aspxHello,</P><P>I have one request, is there any script or way to automatically update of Distribution groups, any changes in DL should be auto update inspite of updating manually, its a static DL not a Dynamic Dl. Please suggest.Tue, 11 Sep 2012 13:14:50 GMTNajmuddinFolder/File Access Permissionshttp://forum.ultimatewindowssecurity.com/Topic1072-7-1.aspxI need to see if there is a free webinar or something that will give me the basic knowledge and how-to for assigning access rights to folders and files.<P>Step One all the way down in an example format???</P><P>I can add groups or users and give them access but I get confused on what it actually does with the inherit permissions and child objects. I guess I have a mental BLOCK for some reason.</P><P>I am learning IT by the seat of my pants as the previous IT Administrator left.</P><P>Any information would be very helpful</P><P>For some reason, on our network, I discovered that all users have full control of everything. BAD!!! I don't want that. I need to plan out my best procedure to fix this issue without creating a big mess.</P><P>They should be able to view contents of a folder, but some folders need to be restricted to who can actually open the files in those foldersFri, 07 Sep 2012 11:28:35 GMTtedyWindow AD on Server 2008http://forum.ultimatewindowssecurity.com/Topic1054-7-1.aspxThe security was just changed so users with multiple roles at the university, such as student and student aide, will now have the same IDs in the two domains. The application I am using will fail the login attempt unless the userid is entered with "@domain" attached. My understanding is that if the domain is not specified AD gets confused with the login attempt since it sees both domain IDs and is not sure which to pick. The use of the domain causes problems in the system since the application sees the userid as the whole string, including the "@domain". Since the application, and the server it runs on, only need to access the one domain, is there a way to force the server to always use a specific domain? Am I totally off base that this is the problem?<br><br>I am running Windows Server 2008<br><br>The message from the event viewer is;<br><br>+ System<br><br>- Provider<br><br>[ Name] Microsoft-Windows-Security-Auditing<br>[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}<br><br>EventID 4625<br><br>Version 0<br><br>Level 0<br><br>Task 12544<br><br>Opcode 0<br><br>Keywords 0x8010000000000000<br><br>- TimeCreated<br><br>[ SystemTime] 2012-07-17T13:49:01.092Z<br><br>EventRecordID 367639<br><br>Correlation<br><br>- Execution<br><br>[ ProcessID] 644<br>[ ThreadID] 724<br><br>Channel Security<br><br>Computer WOS.Resource.hofstra.univ<br><br>Security<br><br>- EventData<br><br>SubjectUserSid S-1-5-18<br>SubjectUserName WOS$<br>SubjectDomainName RESOURCE<br>SubjectLogonId 0x3e7<br>TargetUserSid S-1-0-0<br>TargetUserName jmonca1<br>TargetDomainName <br>Status 0xc000006d<br>FailureReason %%2313<br>SubStatus 0xc0000064<br>LogonType 3<br>LogonProcessName Advapi <br>AuthenticationPackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0<br>WorkstationName WOS<br>TransmittedServices -<br>LmPackageName -<br>KeyLength 0<br>ProcessId 0x668<br>ProcessName C:\Windows\System32\MUdtSrvr.exe<br>IpAddress -<br>IpPort -Tue, 17 Jul 2012 10:59:34 GMTpltmcsAD Schema changeshttp://forum.ultimatewindowssecurity.com/Topic1007-7-1.aspxWe are looking for information on how to audit AD schema changes, hope it would be directory service events, however need to know more on what event ids exactly do the job.Fri, 11 May 2012 06:54:50 GMTbrucemcclane How runtime errors will be logged on Event Viewerhttp://forum.ultimatewindowssecurity.com/Topic985-7-1.aspxI'm looking a way to detect runtime errors with Events being forwarded to a remote host.<br><br>Is there an Event ID linked to these errors?<br><br>What will be a logic way to react when I'm seeing runtime errors on a host like error 53509?<br><br>thanks in advanced.Tue, 17 Apr 2012 19:12:36 GMTcesararFile Integrity with WFPhttp://forum.ultimatewindowssecurity.com/Topic971-7-1.aspxCan Windows File Protection be sufficient as a file integrity monitoring system of critical operating system files according to PCI-DSS 11.5? If it isnt enough, is it safe to audit the whole system32 folder with windows file auditing or will it have a big inpact on performance?Tue, 13 Mar 2012 13:21:17 GMTJohanAnderssonRecommendations on DMZ Authentication architecturehttp://forum.ultimatewindowssecurity.com/Topic967-7-1.aspxHi,</P><P>We are resdesigning our DMZ, and are looking for DMZ authentication recommendations (Active Directory) for secure design. In particular, there is a desire to use internal domain credentials for system accounts/admins to authenticate to DMZ assets.</P><P>Any guidance would be greatly appreciated - or recommendation for a resource that could perform a small engagement to review design.</P><P>Much thanks,</P><P>KrisMon, 12 Mar 2012 17:04:43 GMTKris